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FOREWORD 


Because  of  the  seamlessly  international  nature  of 
the  Internet,  effective  cyber  security  demands  close 
cooperation  with  allies  and  friends  overseas.  Yet, 
because  of  the  relatively  young  status  of  the  disci¬ 
pline,  national  approaches  to  organizing  and  provid¬ 
ing  for  cyber  defense  vary  widely  even  among  those 
countries  whose  interests  are  most  closely  aligned 
with  those  of  the  United  States.  The  result  is  that  the 
bodies  and  structures  responsible  for  cyber  defense, 
and  their  affiliations  and  mandates,  can  be  difficult  to 
understand. 

In  this  Letort  Paper,  British  cyber  policy  researcher 
Keir  Giles  and  German  computer  security  specialist 
Kim  Hartmann  provide  an  overview  of  four  different 
national  approaches  to  cyber  defense;  those  of  Nor¬ 
way,  Estonia,  Germany,  and  Sweden.  While  provid¬ 
ing  a  useful  guide  for  engagement  with  the  relevant 
governmental  and  other  organizations  in  each  of  these 
countries,  the  Paper  also  compares  and  contrasts  the 
advantages  and  drawbacks  of  each  national  approach. 

In  doing  so,  the  authors  provide  a  valuable  re¬ 
source  for  policymakers  in  the  cyber  security  field, 
identifying  potential  best  practices  that  could  be 
applied  in  the  United  States  and  elsewhere. 
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SUMMARY 


Despite  the  history  of  offensive  cyber  activity  be¬ 
ing  much  longer  than  is  commonly  thought,  cyber 
defense  is  still  considered  a  new  discipline.  It  is  only 
relatively  recently  that  states  have  established  formal 
structures  to  provide  for  cyber  defense,  and  cyber  se¬ 
curity  more  broadly.  In  this  context,  each  nation  has 
developed  its  own  mix  of  public,  private,  and  military 
organizations  active  in  the  field. 

The  relationships  between  these  organizations  are 
based  on  the  nation's  unique  circumstances,  determin¬ 
ing  the  overall  shape  of  relations  between  the  state  and 
business,  the  approach  to  e-government,  civilian  con¬ 
trol  of  the  military,  threat  perception,  and  much  more. 
The  United  States  is  no  exception  and  has  developed 
its  own  approach  to  organizing  cyber  defense  based 
on  factors  specific  to  it.  But  the  wide  range  of  organi¬ 
zational  approaches  to  reaching  a  "best  fit"  template 
for  successful  cyber  defense  raises  the  possibility  that 
other  nations  may  have  developed  approaches  that 
could  be  usefully  adopted  in  a  U.S.  context. 

This  Paper  introduces  four  different  foreign  ap¬ 
proaches  to  cyber  defense,  each  very  different  from 
the  U.S.  model.  In  surveying  the  cyber  defense  orga¬ 
nizations  of  Germany,  Sweden,  Norway,  and  Estonia, 
the  Paper  aims  not  only  to  provide  baseline  informa¬ 
tion  on  overseas  structures  and  planning  in  order  to 
facilitate  U.S.  cooperation  with  international  partners, 
but  also  to  provide  policymakers  with  an  overview 
of  effective  alternative  approaches  that  may  be  appli¬ 
cable  in  a  U.S.  context. 
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CYBER  DEFENSE: 

AN  INTERNATIONAL  VIEW 


Despite  the  history  of  offensive  cyber  activity  be¬ 
ing  much  longer  than  is  commonly  thought,  cyber 
defense  is  still  considered  a  new  disciplined  It  is  only 
relatively  recently  that  states  have  established  formal 
structures  to  ensure  cyber  defense,  and  cyber  security 
more  broadly.  In  many  nations,  these  structures  are 
still  in  a  state  of  flux  as  the  optimum  approach  to  de¬ 
fense  against  cyber  threats  for  the  military,  the  econo¬ 
my,  the  government,  and  the  population  as  a  whole  is 
still  elaborated. 

In  this  context,  each  nation  has  developed  its  own 
mix  of  public;  private;  and  military  organizations,  and 
the  relationships  between  them  based  on  their  own 
unique  circumstances  —  relations  between  the  state 
and  business,  approach  to  e-government,  civilian  con¬ 
trol  of  the  military,  threat  perception,  and  much  more. 
The  United  States  is  no  exception  and  has  developed 
its  own  approach  to  organizing  cyber  defense  based 
on  factors  specific  to  the  United  States. 

But  the  broad  variety  of  organizational  approaches 
to  reaching  a  "best  fit"  template  for  successful  cyber 
defense  raises  the  possibility  that  partner  and  ally  na¬ 
tions  may  have  developed  approaches  that  can  be  suc¬ 
cessfully  adopted  in  a  U.S.  context.  This  Paper  there¬ 
fore  surveys  the  approaches  of  four  partner  states,  in 
order  to  present  them  in  an  easily  accessible  form  for 
U.S.  policymakers.  In  introducing  foreign  approaches 
to  cyber  defense  that  may  not  be  obvious  in  a  U.S.  con¬ 
text,  the  aim  is  also  to  provide  baseline  information 
on  overseas  structures  and  planning  to  facilitate  U.S. 
cooperation  with  international  partners. 
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The  Paper  is  specifically  not  concerned  with  tech¬ 
nical  capabilities  in  cyber  offense  and  cyber  defense. 
It  is  notoriously  difficult  to  reach  reliable  conclusions 
about  cyber  capabilities  from  open  sources.  The  ex¬ 
tent  of  real  capabilities,  or  in  some  instances  the  lack 
of  them,  is  so  deeply  classified  that  an  unclassified 
publication  on  the  subject  would  consist  mostly  of  un¬ 
founded  speculation.  Nevertheless,  in  some  European 
societies  with  a  tradition  of  openness  of  information, 
it  is  possible  to  draw  inferences  about  organizational 
aspects  of  preparations  for  cyber  defense,  as  opposed 
to  actual  capabilities,  on  the  basis  of  open  sources  and 
direct  approaches  to  defense  organizations. 

The  countries  selected  for  examination  are  Estonia, 
Germany,  Norway,  and  Sweden,  in  that  order.  This  is 
because: 

1.  Estonia  has  a  number  of  claims  to  pioneer  status 
in  cyber  defense.  This  state  has  practical  experience  of 
protecting  itself  against  offensive  online  activity  com¬ 
bined  with  a  real-world  destabilization  campaign,  in 
what  is  widely  (if  questionably)  considered  the  first 
overt  state-on-state  cyber  attack  in  May  2007.  Tal¬ 
linn  is  host  to  the  North  Atlantic  Treaty  Organization 
(NATO)  Combined  Cyber  Defence  Centre  of  Excel¬ 
lence  (CCDCOE),  set  up  in  2008  in  what  was  widely 
(but  again,  wrongly)  considered  to  be  a  response  to 
those  attacks.  Estonia  is  at  the  forefront  of  moving 
government  services  online;  personal  identification 
acts  as  a  key  to  an  impressive  range  of  services  that 
other  states  consider  unsafe  to  operate  through  the 
Internet.  Governmental  and  societal  embrace  of  the 
Internet  is  exemplified  in  the  President  of  the  Repub¬ 
lic,  Toomas  Hendrik  lives,  an  enthusiastic  participant 
in  social  media,  Internet  freedom  activist,  and  chair 
of  the  "Panel  on  the  Future  of  Global  Internet  Coop- 
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eration,"  a  body  set  up  by  the  Internet  Corporation 
for  Assigned  Names  and  Numbers  to  develop  future 
principles  for  Internet  governance.  For  all  of  these  rea¬ 
sons,  Estonia  presents  a  useful  case  study  of  what  can 
be  achieved  if  the  political  will  to  implement  radical 
change  is  present. 

2.  Germany  represents  a  major  economy,  guided 
by  (broadly)  the  same  principles  as  the  United  States 
with  regard  to  the  balance  between  security  and  in¬ 
dividual  rights  and  freedoms  online  but  subject  to 
historical,  institutional,  and  European  constraints  that 
do  not  apply  to  the  United  States.  In  this  respect,  Ger¬ 
many  offers  an  example  of  a  G7  state  (United  States, 
Japan,  Germany,  France,  United  Kingdom,  Italy,  and 
Canada)  that  has  chosen  a  different  model  to  protect 
its  online  networks. 

3.  Norway  is  in  a  unique  position  within  Europe, 
being  an  active  and  enthusiastic  member  of  NATO, 
but  remaining  outside  the  European  Union  (EU).  The 
constraints  and  opportunities  for  Norway's  foreign 
and  defense  policy  therefore  differ  from  those  of  other 
states,  and  this  singularity  is  reflected  in  a  number  of 
specific  Norwegian  approaches  to  security  and  eco¬ 
nomic  challenges.  Close  cooperation  with  the  United 
States  is  one  of  these  opportunities. 

4.  Sweden  has,  in  some  ways,  the  reverse  chal¬ 
lenge.  As  a  member  of  the  EU  but  not  of  NATO,  Swe¬ 
den  (along  with  its  neighbor,  Einland)  has  to  maintain 
a  delicate  balancing  act.  The  benefits  of  close  coop¬ 
eration  with  the  United  States  and  NATO  are  clear 
and  unarguable,  but  this  is  a  topic  of  intense  domes¬ 
tic  sensitivity.  Sweden's  traditionally  robust  and  in¬ 
dependent  stance  on  defense  issues  has  come  under 
threat,^  but  the  emphasis  on  cyber  security  — and  on 
the  international  cooperation  necessary  to  maintain 
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it  — remains  strong.  In  addition,  Sweden  presents  the 
paradox  of  a  society  that  traditionally  has  been  among 
the  most  open  and  democratic  in  the  world,  hosting 
defense  and  intelligence  programs,  including  in  the 
cyber  sector  whose  secrecy  is  more  closely  guarded 
than  those  of  almost  all  European  partners. 

For  each  of  these  countries,  a  survey  of  institutions 
and  declaratory  policy  on  the  basis  of  publicly  avail¬ 
able  documentation  has  been  supplemented  by  inter¬ 
views  with  officials  active  in  cyber  security.  In  each 
case,  while  these  officials  were  willing  to  confirm  de¬ 
tails  of  national  cyber  security  structures,  they  did  not 
wish  to  be  identified  or  linked  to  specific  comments. 
The  summaries  at  the  end  of  each  national  section 
and  in  the  conclusion  are  in  part  based  on  these  non- 
attributable  interviews. 

It  will  be  seen  that  there  are  both  synergies  and  dis¬ 
sonances  between  the  national  approaches  adopted  by 
each  of  these  states.  These  national  approaches  remain 
crucial  in  the  apparent  absence  of  real  supranational 
support  for  cyber  defense.  Even  after  the  Wales  Sum¬ 
mit  in  September  2014,  NATO's  cyber  strategy  appears 
to  remain  an  anti-strategy,  devolving  cyber  defense  to 
member  states.^  Meanwhile,  the  EU's  European  Net¬ 
work  and  Information  Security  Agency  (ENISA)  ap¬ 
pears  similarly  to  limit  its  ambition  to  being  a  center 
for  expertise  and  information  sharing.'^ 
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ESTONIA 


Estonia  is  reputed  to  be  the  country  with  the 
world's  highest  Internet  penetration  rate.  In  Decem¬ 
ber  2011,  this  rate  was  already  78  percent.^  This  results 
from  deliberate  government  policy  rooted  in  the  early 
days  of  Estonia's  renewed  independence  in  the  early- 
1990s.  At  that  time,  Estonia  took  the  strategic  deci¬ 
sion  not  to  attempt  to  renew  or  overhaul  the  wholly 
insufficient  and  backward  Soviet  telecommunications 
system,  and  instead  adopted  modern  systems  such 
as  mobile  phone  networks  in  parallel.  The  result  is 
a  highly  advanced  technical  infrastructure,  with  few 
of  the  problems  of  reliance  on  legacy  telecommuni¬ 
cations  systems  and  hardware  that  have  restrained 
Internet  uptake  elsewhere. 

A  further  strategic  decision  was  to  develop  systems 
to  provide  state  services  to  all  citizens  online,  in  part  as 
a  result  of  Estonia's  relatively  low  population  density. 
The  development  of  these  e-services  made  Estonia  a 
world  leader  in  the  field  and  contributed  to  Estonia's 
impressive  record  of  post-Soviet  growth.  However,  as 
the  2007  attacks  on  Estonia  showed,  it  also  presents 
vulnerabilities.  Estonia  therefore  presents  an  example 
of  an  approach  to  protecting  cyber  infrastructure  and 
critical  data  where  not  only  is  a  key  adversary  already 
known  and  present,  but  also  the  concentration  of 
citizen  processes  online  (including  but  not  limited  to 
banking,  voting,  registering  commercial  transactions, 
and  so  on)  means  that  there  is  no  alternative  to  reliable 
defense. 
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General  Structure. 


Cyber  security  in  Estonia  is  mainly  organized 
through  the  Estonian  Information  System  Authority 
(EISA)  and  its  subunits.  EISA  is  part  of  the  Ministry 
of  Economic  Affairs  and  Communications  but  may 
also  cooperate  closely  with  the  Ministry  of  Justice, 
Ministry  of  Defense,  and  Ministry  of  the  Interior. 

In  addition,  the  Defense  League  (Kaitseliit),  a  vol¬ 
untary  defense  organization  along  military  lines,  also 
contributes  to  "the  protection  of  Estonia's  indepen¬ 
dence  and  constitutional  order."  A  cyber  unit  cooper¬ 
ates  closely  with  governmental  institutions  and  initia¬ 
tives.  Known  as  the  Kuberkaitseliit,  this  is  made  up  of 
volunteer  cyber  security  experts. 

Detail. 

EISA. 

EISA,  also  known  by  its  Estonian  abbreviation  RIA, 
was  reorganized  in  2011  from  the  former  Estonian  In¬ 
formatics  Centre  and  is  structurally  integrated  in  the 
Ministry  of  Economic  Affairs  and  Communications.^ 
EISA  coordinates  cyber  security  actions  for  both  the 
private  and  public  sector.  These  activities  include 
the  development,  administration,  and  supervision  of 
cyber  security  actions.^ 

EISA  publishes  an  annual  report  summarizing 
events,  activities,  and  observations  related  to  cyber 
security  in  Estonia.®  EISA  is  also  taking  part  in  the 
NutiKaitse  2017  project  promoting  security  on  smart 
devices  and  aimed  at  users,  developers,  and  retailers.® 

EISA  is  the  governing  authority  of  two  other  bod¬ 
ies,  Department  of  Critical  Information  Infrastructure 
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Protection  (CUP)  and  Computer  Emergency  Response 
Team  of  Estonia  (CERT-EE),  which  are  discussed 
next.  EISA  also  provides  the  Document  Exchange 
Centre  and  supervises  the  implementation  of  Infos- 
iisteemide  Kolmeastmeline  Etalonturbe  Siisteem  (three- 
level  information  technology  [IT]  baseline  security 
system),  abbreviated  ISKE,  at  the  national  level.  ISKE 
is  based  on  the  German  IT-Grundschutzkatalog  (see  the 
section  on  Germany  for  further  details). 

EISA  also  provides  information  on  the  Data  Ex¬ 
change  Layer  X-Road.  X-Road  is  described  as  being 
"a  technical  and  organizational  environment,  which 
enables  secure  Internet-based  data  exchange  between 
the  state's  information  systems."^^  Furthermore,  EISA 
is  involved  in  the  management,  maintenance,  and  sup¬ 
port  of  the  national  Public  Key  Infrastructure  (PKI). 
This  implies  involvement  in  supporting  the  Estonian 
identification  (ID)  card  system,  used  to  provide  secure 
access  to  many  online  services.^^ 

Department  of  Critical  Information  Infrastructure 
Protection. 

CUP  is  a  subunit  of  EISA.  CUP  focuses  on  "issues 
associated  with  the  protection  of  technical  infrastruc¬ 
tures  needed  to  guarantee  the  functioning  of  the  Es¬ 
tonian  state."  The  Estonian  Emergency  Act  provides 
a  list  of  42  essential  services  that  need  to  be  assured, 
including  payments  and  settlements.^^ 

CUP  operates  on  the  strategic  level  by  collecting, 
maintaining,  and  analyzing  data  regarding  critical 
information  infrastructures  in  Estonia.  CUP  also  per¬ 
forms  risk  assessment  for  these  infrastructures,  and 
initiates  and  supervises  the  development  and  imple¬ 
mentation  of  protective  measures. 
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Linked  to  its  actions  on  the  strategic  level,  CUP  is¬ 
sues  guidelines  on  cyber  security,  such  as  the  regula¬ 
tion  on  security  measures  for  information  systems  of 
vital  services  and  related  information  assets^^  and  the 
Estonian  Cybersecurity  Strategy  2008-2013}^ 

CUP  operates  under  the  information  security  in¬ 
teroperability  framework,^^  a  description  of  IT-security 
principles  observed  in  Estonia  and  how  state  institu¬ 
tions  and  vital  service  providers  are  to  interoperated® 

CUP  recommends  security  measures  based  on  a 
number  of  foreign  best  practice  manuals.  These  are  the 
U.S.  Cyber  Consequences  Unit  Cyber-Security  Check 
List,  in  a  version  last  updated  in  2007d^  ISKE,  based 
on  German  documentation  as  described  previously; 
and  the  United  Kingdom  (UK)  Centre  for  the  Protec¬ 
tion  of  National  Infrastructure  (CPNI)  Guidelines  on 
Supervisory  Control  and  Data  Acquisition  (SCAD A) 
Security.^® 

ISKE  provides  a  range  of  documentation  on  secu¬ 
rity  guidelines  that,  unlike  much  other  materials,  are 
only  available  in  Estonian.^^  These  include; 

•  ISKE  material  and  handbook  {ISKE  juhendid  ja 

materjalid) 

—  Implementation  guidelines  {ISKE  rakendus- 
juhend  ver.  7.00)^^ 

—  ISKE  catalogue  version  7.0  {ISKE  kataloogid 
ver.  7.00)23 

•  Suggested  guidelines  {Soovituslikud  juhendid) 

—  Data  center  security  requirements  {Andme- 
keskuse  turvanouded)^'^ 

—  Cryptographic  algorithms,  uses,  and  life 
cycle  study  {Kruptograafiliste  algoritmide  ka- 
sutusvaldkondade  ja  elutsiikli  uuring)?^ 
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Computer  Emergency  Response  Team  of  Estonia. 

The  CERT-EE  is  another  subunit  of  EISA.  CERT-EE 
defines  its  main  tasks  as: 

•  Reviewing  and  reporting  on  incidents; 

•  Providing  warnings  and  notices,  and  the  orga¬ 
nization  of  preventive  measures  such  as  cam¬ 
paigns  to  raise  public  awareness;  and, 

•  Support  for  institutions  and  Internet  Service 
Providers  (ISPs).  The  extent  of  support  de¬ 
pends  on  the  security  incident  reported  and 
the  resources  available.  As  a  general  policy,  no 
end-user  support  is  given.^^ 

As  a  subunit  of  EISA,  CERT-EE  also  provides  and 
develops  the  Virtual  Situation  Room  (VSR)  in  coop¬ 
eration  with  Clarified  Networks  Einland,^^  acquired 
by  the  Einnish-U.S.  corporation  Codenomicon  in 
2011.^®  VSR,  financed  by  the  European  Regional  De¬ 
velopment  Fund,  is  a  unified  platform  used  for  cyber 
security  situation  information  sharing,  analysis  and 
visualization  of  data,  providing  training  material 
and  simulations,  and  post-crisis  analysis  and  crisis 
management  improvement  techniques.^^  VSR  is  ac¬ 
cessible  to  governmental  institutions  and  companies 
providing  vital  services.^” 

Kuberkaitseliit. 

Kuberkaitseliit  is  the  cyber  unit  of  the  Defense 
League  (Kaitseliit).  The  Kaitseliit  is  "a  voluntary 
militarily  organized  national  defense  organization" 
that  possesses  arms,  engages  in  military  exercises, 
and  fulfils  the  tasks  prescribed  by  the  National  De¬ 
fense  League  Act.^^  Its  cyber  subdivision  is  made  up 
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of  cyber  security  professionals  who  volunteer  their 
time  and  skills  for  national  defense,  with  main  tasks 
listed  as; 

•  Protection  of  Estonia's  e-lifestyle, 

•  Public-private  cooperation  in  protecting  IT  in¬ 
frastructure,  and 

•  Knowledge  and  information  sharing. 

The  Kiiberkaitseliit  supports  government  insti¬ 
tutions  in  implementing  the  national  cyber  security 
strategy  and  —  especially  in  a  crisis  situation  —  co¬ 
operates  closely  with  CERT-EE  and  the  Ministry  of 
Internal  Affairs.^^ 

Summary. 

The  Estonian  approach  to  cyber  security  rests 
on  a  clear  division  but  smooth  cooperation  between 
state  actors,  the  public  sector,  and  the  Estonian  De¬ 
fence  League.  This  is  supported  by  extensive  public 
documentation  and  a  clear  sense  of  purpose  from 
government. 

Estonia  also  makes  strong  contributions  to  Euro¬ 
pean  and  international  cooperation  on  cyber  security, 
but  not  all  public  documentation  is  provided  in  lan¬ 
guages  other  than  Estonian.  This  is  surprising  in  the 
case,  for  instance,  of  the  ISKE,  which  is  based  on  the 
German  BSI-Grundschutzkatalog,  a  document  that  is 
already  —  at  least  partially  —  available  in  English. 

The  establishment  of  overarching  structures  to 
facilitate  cooperation  between  providers  of  essential 
services  is  a  priority.  Estonia  actively  promotes  the 
individual's  role  in  cyber  security  issues,  the  need 
for  infrastructures  that  allow  smooth  interaction, 
high-quality  communications,  and  the  integration  of 
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nonstate  institutions  and  companies  in  national  cyber 
strategies. 

Estonia  has  embraced  the  concept  that  cyber 
conflict  cannot  be  resisted  through  governmental 
institutions  alone,  but  must  rather  be  approached 
through  the  collaboration  of  government  institutions, 
nongovernmental  organizations,  and  private  sector 
companies. 

GERMANY 

The  first  German  strategies  on  a  federal  level  to  pro¬ 
tect  technical  infrastructure  against  malfunction  arose 
in  response  to  the  "millennium  bug."  As  elsewhere, 
during  the  1990s,  automation  of  technical  communi¬ 
cation,  transportation,  information,  and  organization 
systems  had  risen  in  importance  for  military,  govern¬ 
mental,  and  industrial  organizations  in  Germany.  The 
Y2K  problem  raised  national  awareness  of  vulnerabil¬ 
ities  accompanying  reliance  on  technical  systems.  The 
potential  effect  on  individual  citizens  primarily  was 
gauged  as  a  factor  of  their  dependence  on  national 
or  industrial  services;  home  computers,  laptops,  and 
other  technical  equipment  used  for  private  purposes 
were  not  considered  targets  of  national  relevance. 

The  importance  of  protecting  technical  infrastruc¬ 
ture  against  both  deliberate  and  accidental  destruc¬ 
tion,  disturbance,  and  malfunction  was  publicly 
acknowledged  during  the  first  years  of  the  21st  cen¬ 
tury.  The  establishment  of  the  first  federal  strategic 
program  to  protect  technical  infrastructures  in  2002 
was  immediately  tested  by  a  natural  disaster  — un¬ 
precedented  flooding  that  severely  affected  a  number 
of  European  countries.^^  Widespread  malfunctions  of 
technical  infrastructure  throughout  the  affected  area 


11 


hindered  emergency  management  and  increased  the 
damage.  The  result  was  greater  acknowledgement  of 
the  need  to  protect  technical  infrastructure  and  great¬ 
er  prominence  of  the  effects  on  individual  citizens  in 
public  discussion.  Nevertheless,  awareness  of  risk 
associated  with  privately  used  information  technol¬ 
ogy  is  still  deficient,  both  within  civil  society  as  well 
as  in  industrial,  government,  and  occasionally  even 
military  applications. 

General  Structure. 

The  Cabinet  of  Germany  {Bundesregierung)  is  the 
chief  national  executive  body  at  federal  level.  It  con¬ 
sists  of  the  elected  chancellor  (Bundeskanzler)  and  the 
cabinet  ministers.^^  Each  cabinet  minister  is  respon¬ 
sible  for  one  specific  sector  of  national  interest.  The 
responsibility  for  these  sectors  is  currently  divided 
among  14  federal  ministries.^^  Overlaps  between  the 
scope  of  these  ministries  can  occur,  and  this  is  par¬ 
ticularly  the  case  when  considering  protection  against 
cyber  threats. 

Figure  1  lists  some  of  the  many  ministries  and  their 
associated  special  agencies  that  are  involved  in  cyber 
defense  in  Germany.  Interactions  between  the  follow¬ 
ing  institutions  in  particular  are  key  to  understanding 
the  German  approach  to  cyber  security  and  will  be 
discussed  further: 

•  The  German  Chancellery 

—  Federal  Intelligence  Service  {Bundesnachrich- 
tendienst) 

•  Federal  Ministry  of  the  Interior 

—  Federal  Office  for  Information  Security 
(Bundesamt  fur  Sicherheit  in  der  Informations- 
technik,  BSI) 
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—  Federal  Agency  for  the  Protection  of  the  Con¬ 
stitution  (Bundesamt  fur  Verfassungsschutz) 

—  Federal  Criminal  Police  Office  (Bundeskrimi- 
nalamt) 

•  Federal  Ministry  of  Defense 

—  Military  Counterintelligence  Service  {Mil- 
itdrischer  Abschirmdienst) 

—  Federal  Defense  Forces  of  Germany 
(Bundeswehr) 

-  Strategy  Reconnaissance  Command  (Kom- 
mando  Strategische  Aufkldrung,  especially  the 
Abteilung  Informations  und  Computernetz- 
werkoperationenf^ 

•  Federal  Ministry  of  Finance 

—  Customs  Criminal  Investigation  Office 
{Zollkriminalamt) 

•  Federal  Ministry  of  Economics  and  Technology 

Detail. 

Due  to  the  complex  federalized  nature  of  German 
administration,  many  German  cyber  defense  activities 
are  managed  through  joint  programs.  This  is  in  part  a 
result  of  legal  constraints  arising  from  constitutional 
emphasis  on  division  between  state,  civilian,  and  mili¬ 
tary  actions,  which  means  that  activities  within  each 
sector  must  be  clearly  distinguishable  from  those  in 
another.  As  a  result,  synergies  between  each  respon¬ 
sible  agency  are  limited.  For  example,  even  if  a  joint 
program  allows  military  institutions  to  cooperate  with 
the  police,  this  can  only  happen  if  the  specific  inci¬ 
dent  under  investigation  is  a  clearly  defined  military 
responsibility.^^ 
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Figure  1.  Selection  o£  German  Ministries  and  Departments  Involved  in  Cyber  Defense 


KRITIS. 


Several  programs  have  been  developed  to  meet  a 
range  of  challenges  associated  with  the  protection  of 
critical  infrastructures,  referred  to  generic  ally  as  KRI¬ 
TIS.  The  primary  programs  are  UP  KRITIS  {Umset- 
zungsplan  KRITIS),^®  UP  Bund  {Umsetzungsplan  Bundf'^ 
and  KRTTIS-Strategie}° 

The  two  UP  programs  were  developed  in  2005 
from  the  previous  "Nationaler  Plan  zum  Schutz  der  In- 
formationsinfrastrukturen"  (National  Plan  for  Informa¬ 
tion  Infrastructure  Defense,  NPSI)  program.'^^  While 
UP  KRITIS  is  concerned  with  the  general  protection 
of  IT  infrastructure  of  the  telecommunication,  energy, 
transportation,  and  economic  sectors,  UP  Bund  cov¬ 
ers  the  protection  of  federal  IT  infrastructure.  Both  UP 
programs  are  considered  policymaking  institutions; 
technical  implementation  of  recommendations  made 
through  the  UPs  becomes  the  responsibility  of  sectors 
and  organizations  for  which  they  are  responsible. 

KRITIS-Strategie,  the  "National  Strategy  for  Criti¬ 
cal  Infrastructure  Protection,"  was  drawn  up  in  2009 
on  the  basis  of  knowledge  gained  from  UP  KRITIS, 
and  summarizes  Germany's  objectives  and  strategic 
political  approach  in  this  area.  The  Strategy  extended 
the  initial  remit  of  the  program  and  included  IT  in¬ 
frastructure  as  one  of  the  critical  infrastructures  to  be 
protected. Protection  of  IT  infrastructure  has  been  al¬ 
located  to  the  National  Cyber  Defense  Center  and  the 
National  Cyber  Security  Council,  created  under  the 
Cybersecurity  Strategy  released  in  2009.^^ 
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The  National  Cyber  Defense  Center. 

The  National  Cyber  Defense  Center  was  estab¬ 
lished  as  a  response  to  growing  threats,  in  particular 
the  increasing  number  of  highly  specific  and  organized 
attacks  on  governmental  and  industrial  information 
systems  in  Germany.  The  Center  coordinates  the  nu¬ 
merous  ministries,  departments,  and  special  agencies 
involved  in  national  cyber  defense.  In  this  way,  the 
existence  of  the  Center  underlines  the  German  view 
that  cyber  attacks  come  in  a  variety  of  forms  and  vec¬ 
tors,  and  as  such  must  not  be  addressed  through  only 
one  federal  institution.^'^ 

The  Center  is  operated  by  the  Federal  Office  for 
Information  Security  (BSI)  and  includes  representa¬ 
tion  from  the  Federal  Agency  for  the  Protection  of  the 
Constitution,  Federal  Office  of  Civil  Protection  and 
Disaster  Assistance,  Federal  Criminal  Police  Office, 
Federal  Police,  Customs  Criminal  Investigation  Office, 
Federal  Intelligence  Service,  and  the  Federal  Defense 
Forces  of  Germany  (Bundeswehr).  Each  agency  con¬ 
tributes  personnel  with  specific  responsibilities,  who 
remain  affiliated  to  their  original  office.  As  a  result, 
implementation  of  tasks  assigned  within  the  Center 
become  the  responsibility  of  the  contributing  agen¬ 
cy.  The  Cyber  Center  also  cooperates  directly  with 
German  ISPs. 

The  Center's  main  tasks  are  the  prevention  of  cyber 
attacks,  information  sharing  on  attacks  and  vulnera¬ 
bilities,  and  early  warning  for  exposed  and  threatened 
institutions.  According  to  the  BSI,  the  Center  analyzes 
and  reports  on  vulnerabilities  found  in  IT  products, 
incidents,  infrastructural  vulnerabilities,  and  cyber  at¬ 
tack  methods.  It  also  analyzes  incidents  to  generate  at¬ 
tack  and  attacker  profiles.  The  Center  is  the  technical 
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adviser  to  the  National  Cyber  Security  Council  {Cyber 
Sicherheitsrat) ,  which  was  founded  simultaneously 
with  the  Center. 

Due  to  the  scope  of  the  institutions  involved,  and 
control  resting  with  the  BSI,  the  Center  is  more  likely 
to  be  a  reactive  than  a  proactive  or  offensive  institu¬ 
tion  and  is  mainly  concerned  with  incident  response, 
forensics,  and  policy  actions.  The  German  military  or¬ 
ganization  corresponding  to  the  Cyber  Center  is  the 
Kommando  Strategische  Aufkldrung.  Oblique  references 
in  open  sources  suggest  that  the  Kommando  has  been 
developing  offensive  cyber  capabilities^^  since,  at  the 
latest,  2009."^^ 

The  National  Cyber  Security  Council. 

The  main  task  of  the  Council  is  to  enhance  ex¬ 
changes  between  governmental  and  industrial  orga¬ 
nizations  on  preventive  cyber  measures  on  a  political 
and  strategic  level.  Recent  topics  for  discussion  have 
been  the  protection  of  critical  infrastructure  and  the 
cyber  foreign  policy  of  Germany. 

The  Council  meets  three  times  a  year  and  is  chaired 
by  the  Commissioner  of  the  Federal  Government  for 
Information  Technology.  The  Council  is  composed 
of  one  state  secretary  and  representatives  from  the 
German  Chancellery,  the  Federal  Ministry  of  Foreign 
Affairs,  the  Federal  Ministry  of  Defense,  the  Federal 
Ministry  of  Economics  and  Technology,  the  Federal 
Ministry  of  Justice,  the  Federal  Ministry  of  Finance, 
the  Federal  Ministry  of  Education  and  Research,  and 
representatives  of  the  federal  states  Baden-Wiirttem- 
berg  and  Hessen.  Eurthermore,  business  representa¬ 
tives  from  the  BDI  (Eederation  of  German  Industries), 
BITKOM  (Federal  Association  for  Information  Tech- 
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nology,  Telecommunications  and  New  Media),  DIHK 
(Chambers  of  Commerce  and  Industry),  and  Amprion 
(the  largest  corporation  responsible  for  the  German 
electricity  distribution  network,  with  a  major  role 
in  European  electricity  distribution  more  broadly^^) 
act  as  associated  members  of  the  Council.  Technical 
experts  may  also  be  involved  in  specific  events.^® 

IT  Baseline  Protection  Catalogs. 

The  IT  Baseline  Protection  Catalogs  {IT-Grund- 
schutzkataloge)  are  a  collection  of  documents  provided 
by  the  BSI  for  the  protection  of  IT  infrastructure  and 
the  identification  and  eradication  of  vulnerabilities  in 
IT  systems.  They  serve  as  a  basis  for  certifying  enter¬ 
prises  for  IT  security  compliance.  They  are  divided 
into  three  sub-catalogs  covering  components,  threats, 
and  measures.  Each  uses  a  layer  model  to  describe  dif¬ 
ferent  aspects  of  the  topic  presented. 

The  component  catalogs  are  divided  into  five  lay¬ 
ers;  general  aspects,  infrastructure,  IT  systems,  net¬ 
works,  and  IT  applications.  Each  layer  is  addressed 
to  a  specific  audience. They  describe  different  meth¬ 
ods  and  actions  to  be  taken  for  each  IT  component  in 
different  situations.  Recommendations  are  provided 
throughout  the  component  life  cycle.®” 

The  threat  catalogs  describe  the  range  of  vulnera¬ 
bilities  associated  with  IT  components  and  are  divided 
into  the  following  layers;  force  majeure,  organizational 
deficiencies,  human  failures,  technical  failures,  and 
deliberate  acts.®^  Each  threat  and  its  source  is  briefly 
described,  followed  by  examples  of  possible  outcomes 
and  their  effects  on  the  component. 
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The  measures  catalogs  describe  the  countermea¬ 
sures  to  be  taken  in  order  to  protect  systems,  subdi¬ 
vided  into  Infrastructure,  Organizational,  Personal, 
Hardware/ Software,  Communication,  and  Emergen¬ 
cy  Response.^^  Each  countermeasure  identifies  the 
individual  responsible  for  initiation  and  execution, 
followed  by  a  specific  description  of  the  actions  to 
be  taken.  The  measures  catalogs  also  provide  check¬ 
lists  to  monitor  correct  implementation  and  to  verify 
the  results. 

As  noted  in  the  section  on  Estonia,  which  has 
based  some  of  its  own  documentation  on  these  cata¬ 
logs,  a  number  of  these  documents  are  also  available 
in  English. 

CERTs. 

As  in  other  states,  the  term  Computer  Emergency 
Response  Team  (CERT)  refers  to  a  group  of  IT  ex¬ 
perts  consulted  during  serious  incidents.  CERTs  exist 
within  a  range  of  organizations  and  businesses.  The 
key  governmental  CERTs  are  the  Biirger-CERT  (Public 
CERT),  CEKT-Bund  (CERT-Eederal),  and  the  CERTBw 
(CERT  Federal  Defense). 

The  Biirger-CERT  provides  technical  information 
on  IT  vulnerabilities,  viruses,  worms,  cyber  attacks, 
and  methods  through  information  boards,  newslet¬ 
ters,  and  mailing  lists  to  technically  interested  indi¬ 
viduals.  This  is  a  free  service  provided  through  the 
BSI,  using  data  obtained  from  the  CERT-Bund.^'^  A  sec¬ 
ond  service,  aimed  to  inform  the  broader  public  (i.e., 
including  individuals  who  are  not  technically  adept), 
is  provided  through  the  BSI  on  the  website  BSI  fiir 
Burger  (BSI  for  Citizens).®® 
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The  CEKT-Bund  and  the  IT-Lagezentrunv'^  together 
make  up  Department  C-21  of  the  Within  the  de¬ 
partment,  the  CERT  is  the  technical  solution  center  for 
security  issues  faced  in  federal  institutions,  while  the 
IT-Lagezentrum  collects  security  data  from  multiple  na¬ 
tional  and  international  sources.  Together,  this  allows 
Department  C-21  to  provide  detailed  assessments  of 
security  issues.  Depending  on  the  result  of  this  assess¬ 
ment,  warnings  may  be  forwarded  to  the  Biirger-CEKT 
or  the  relevant  KRITIS  authorities.^®  It  is  reported  that 
the  IT-Lagezentrum  not  only  relies  on  the  data  pools 
provided,  but  also  carries  out  network  monitoring  "to 
detect  irregularities." 

The  CERTBw  is  the  Eederal  Defense  Forces 
(Bundeswehr)  CERT.  The  CERTBw  is  responsible  for 
the  monitoring,  maintenance,  and  restoration  of  IT 
security  for  the  German  military  forces.  Its  responsi¬ 
bilities  also  include  incident  response  and  manage¬ 
ment  and  network  monitoring  and  analysis.  CERTBw 
also  analyzes  vulnerabilities  in  the  German  military 
IT  infrastructure,  analyzes  malware,  and  provides  an 
information  and  alert  service. 

CERTBw  reports  that  the  number  of  hostile  inci¬ 
dents  it  deals  with  has  remained  steady  at  700-800  per 
year  for  the  last  4  years.®®  This  figure  is  startlingly  low. 
When  asked  to  explain  this,  one  interviewee  suggest¬ 
ed  that  this  could  be  a  result  of  the  strict  delineation  of 
authorities  within  the  German  system,  which  would 
mean  that  attacks  on  public -facing  military  websites 
would  not  be  included  in  this  figure; 

Perhaps  one  should  rather  say  [the  CERTBw  report¬ 
ing]  'counts  approx.  800  incidents  per  year  on  techni¬ 
cal  infrastructures  lying  within  its  area  of  responsibil¬ 
ity'?  I  also  think  that  the  number  is  incredibly  low  and, 
knowing  the  German  system,  I  believe  the  reason  is 
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that  a  lot  of  stuff  will  not  fall  under  their  authority.  I 
could  imagine  that  for  example  the  public  sites  of  the 
German  Forces  are  not  part  of  the  CERTBw  authority 
and  so  on.“ 

The  CERTBw  is  also  responsible  for  the  security 
of  IT  infrastructure  used  during  active  military 
operations.^^ 

Summary. 

Overall,  Germany  seems  to  promote  an  open  ac¬ 
cess  policy  regarding  its  cyber  defense  strategies. 
Both  policy  documents  and  technical  details  are  avail¬ 
able  from  official  websites.  Once  the  infrastructure 
and  organizational  details  are  clear,  further  details 
can  be  deduced  from  official  job  offers,  which  often 
include  specifics  of  the  level  of  knowledge  needed, 
the  type  of  technical  infrastructure  to  be  worked  on, 
and  the  tasks  to  be  undertaken  during  employment.^^ 
Even  organizational  details  not  directly  available 
through  agency  websites  normally  can  be  accessed 
through  the  Bundesverwaltungsamt  (Federal  Office  of 
Administration) 

NORWAY 

General  Structure. 

Public  attention  to  the  defense  of  cyberspace  has 
increased  enormously  in  Norway  over  recent  years. 
Cyberforsvaret  (Cyber  Defense)  is  a  forsvarsgren  (mili¬ 
tary  branch)  of  the  Norwegian  Armed  Forces  along¬ 
side  the  Norwegian  Air  Force,  Army,  Navy,  and  Home 
Guard.  The  Cyberforsvaret  was  established  in  2012, 
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denoting  Norway  as  one  of  the  countries  that  of¬ 
ficially  acknowledge  cyberspace  as  a  new  military 
domain.  The  integration  of  cyberspace  as  a  military 
branch  expresses  the  importance  of  the  topic  to  the 
Norwegian  government. 

Other  institutions  involved  in  the  cyber  defense 
programs  of  Norway  under  the  auspices  of  the  Armed 
Forces  include  Nasjonala  Sikkerhetsmyndigheten  (Na¬ 
tional  Security  Authority,  or  NSM)^^  and  the  Nor¬ 
wegian  Computer  Emergency  Response  Team  (Nor- 
CERT).  Furthermore,  depending  on  the  type  of  attack 
experienced,  either  the  Etterretningstjenesten  (Nor¬ 
wegian  Intelligence  Service,  the  intelligence  service 
of  the  Norwegian  Armed  Forces)  or  the  Norwegian 
Police  Service  may  respond  to  an  attack  with  further 
investigations. 

The  police  service  is  responsible  for  any  attack/ 
criminal  activity  on  the  Internet  originating  from  with¬ 
in  Norway  against  Norwegian  infrastructures  or  indi¬ 
viduals;  it  investigates  the  attack  and  initiates  further 
activities.  The  Politiets  sikkerhetstjeneste  (Norwegian 
Police  Security  Service)  and  Kripos  {nasjonale  enhet  for 
bekjempelse  av  organisert  og  annen  alvorlig  kriminalitet, 
former  Kriminalpolitisentralen,  translated  to  National 
Criminal  Investigation  Service)  are  involved  in  the 
investigations  as  appropriate.  In  addition,  the  Nor¬ 
wegian  government  has  established  the  Norsk  senter 
for  informasjonssikring  (Norwegian  Center  for  Informa¬ 
tion  Security,  NorSIS),  to  heighten  public  awareness 
of  cyber  threats  and  possible  countermeasures. 
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Detail. 


Cyberforsvaret. 

Established  on  September  18,  2012,  as  an  indepen¬ 
dent  military  branch  of  the  Norwegian  Armed  Forces, 
Cyberforsvaret  evolved  from  the  Forsvarest  informas- 
jonsinfrastruktur  (Defense  Information  Infrastructure) 
department  of  the  Norwegian  Armed  Forces  and  has  a 
manpower  of  approximately  1,100.^'"  The  main  task  of 
Cyberforsvaret  is  to  establish  cyberspace  (cyberrommet) 
as  a  full-fledged  military  domain.'"^  It  is  responsible  for 
the  development  of  defense  methods  for  cyberspace 
and  for  the  protection  of  military  components  from 
threats  originating  from  cyberspace.  Cyberforsvaret  is 
not  responsible  for  protection  of  public  infrastructure 
but  may  support  public  organizations  such  as  NorSIS 
upon  request. 

Cyberforsvaret  is  organized  into  two  major  depart¬ 
ments,  responsible  for  "competence  and  transforma¬ 
tion"  and  "services  and  operations"  with  several  sub¬ 
departments.  The  branch  is  scheduled  to  introduce 
offensive  cyber  capabilities  by  2016,®®  noting  that: 

Military  operations  in  the  digital  space  have  both 
protective  and  intelligence  purposes  and  offensive 
objectives/ goals.  This  has  been  an  added  dimension 
of  military  operations  and  thus  a  new  warfare  area 
where  the  ability  to  conduct  both  defensive  and  offen¬ 
sive  operations  will  be  crucial  in  future  conflicts.® 

Cyberforsvaret  is  currently  offering  research  posi¬ 
tions  in  cyber  security.  Researchers  are  to  be  integrat¬ 
ed  and  employed  in  the  newly  established  Center  for 
Cyber  and  Information  Security  (CCIS)  at  the  Gjovik 
University  College.  The  CCIS  is  the  result  of  a  part- 
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nership  between  "key  national  cyber  security  stake¬ 
holders. The  CCIS  thus  provides  significant  detail 
on  the  nature  and  extent  of  cooperation  on  cyber  secu¬ 
rity  between  Norwegian  military,  police,  and  public 
institutions.^^ 

Nasjonala  Sikkerhetsmyndigheten. 

The  NSM  is  a  sub-division  of  the  Forsvarsdepart- 
mentet  (Defense  Department)  and  is  responsible  for 
the  coordination  of  preventive  security  measures  and 
for  monitoring  the  current  security  status.  The  NSM's 
primary  tasks  are  countermeasures  against  espio¬ 
nage,  sabotage,  and  terrorism,  and  the  protection  of 
sensitive  information. 

The  NSM  is  Norway's  key  body  responsible  for  the 
control  and  organization  of  information  and  physical 
security  activities.  Although  the  NSM  belongs  to  the 
Forsvarsdepartmentet,  it  also  reports  to  the  Justis-  og 
Politidepartment  (Ministry  of  Justice  and  Public  Secu¬ 
rity)  with  respect  to  public  information  security  inter¬ 
ests.^^  The  NSM  also  publishes  annual  reports  on  Nor¬ 
way's  security  status  {Rapport  om  sikkerhetstilstandenY^ 
and  is  the  host  organization  for  NorCERT. 


NorCERT. 

NorCERT  is  the  operational  taskforce  of  the  NSM. 
NorCERT  reports  on  current  cyber  security  threats 
that  may  pose  a  risk  to  national  security  and  may  also 
take  part  in  incident  response  and  analysis.  Although 
NorCERT  is  hosted  by  the  NSM,  it  also  cooperates 
closely  with  a  range  of  nongovernmental  bodies  in  the 
varslingssystem  for  digital  infrastruktur  (warning  system 
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for  digital  infrastructures,  or  VDI).  The  VDI  was  ini¬ 
tiated  as  a  joint  project  between  the  Etterretningstjen- 
esten,  Politiets  sikkerhetstjeneste  (Intelligence  Service, 
Police  Service)  and  NSM  in  20007^ 

The  VDI  controls  a  number  of  sensors  installed  at 
ISPs  to  monitor  data  traffic.  VDI  sensors  had  been  in¬ 
stalled  at  Norsk  rikskringkasting  AS,  NRK  (Norwegian 
Broadcasting  Corporation— a  government  owned  ra¬ 
dio  and  television  broadcasting  company)^^  in  2006, 
but  NRK  decided  to  remove  them  amid  widespread 
controversy  over  data  capture  and  monitoring  in 
November  2012.^^ 

NorSIS. 

NorSIS  forms  part  of  a  Norwegian  government  ini¬ 
tiative  to  heighten  public  awareness  of  cyber  security 
threats  and  their  impact  on  everyday  life  as  well  as  on 
national  security  and  is  hosted  by  the  Justis-  og  bereds- 
kapsdepartmentet  (Ministry  of  Justice).  Its  major  task  is 
to  inform,  analyze,  and  recommend  countermeasures 
against  cyber  security  threats  for  the  public.  NorSIS  is 
responsible  for  both  the  private  and  public  sector,  and 
may  request  support  from  Cyberforsvaret  or  NorCERT. 
NorSIS  also  compiles  guidelines  and  recommenda¬ 
tions  for  improving  IT  security  overall. 

Summary. 

Norway  is  responding  to  a  significant  number  of 
attacks  against  its  infrastructure.^®  Despite  numerous 
activities  to  heighten  cyber  security,  there  is  still  con¬ 
cern  about  Norway's  vulnerability  as  a  nation  depen¬ 
dent  on  its  IT  systems. Despite  the  fact  that  Norway 
has  only  recently  begun  to  integrate  cyber  defense  on 
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a  national  level,  previous  achievements  leave  Norway 
well  placed  to  be  one  of  the  best  equipped  European 
countries  for  cyber  defense.  The  VDI  sensors,  in  place 
since  2000,  provide  network-specific  security  and  sur¬ 
veillance,  while,  to  some  extent,  disregarding  privacy 
issues. 

In  2012,  Vidar  Sandlad,  senior  consultant  to  Nor- 
SIS,  observed  that  one  key  cyber  security  problem  is 
the  naivety  of  the  Norwegian  public. Programs  and 
education  provided  by  NorSIS  and  the  information 
campaigns  established  by  the  Norwegian  government 
are  heightening  awareness  and  knowledge  of  comput¬ 
er  security.  Norway  appears  to  be  experiencing  less 
difficulty  in  communicating  to  its  public  the  vital  role 
of  individuals  in  ensuring  cyber  security  than  does 
Sweden. 

SWEDEN 

General  Structure. 

The  cyber  defense  strategies  of  Sweden  are  orga¬ 
nized  primarily  through  two  ministries  and  their  sub¬ 
departments:  the  Ministry  of  Defense  and  the  Minis¬ 
try  of  Justice.  The  Ministry  of  Defense  is  in  charge  of 
eleven  divisions,  both  military  and  civilian:^^ 

•  Swedish  Armed  Eorces  {Forsvarsmakten) 

•  Swedish  National  Defense  Radio  Establishment 
{Forsvarets  radioanstalt) 

•  Swedish  Defense  Research  Agency  {Totalfdrsva- 
rets  forskningsins  titu  t) 

•  Swedish  Defense  Materiel  Administration 
{Forsvarets  materielverk) 

•  Swedish  National  Service  Administration 
{Rekryteringsverket / former  Pliktverket) 
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•  Swedish  National  Defense  Export  Agency 
{Fdrsvarsexportmyndigheten) 

•  Fdrsvarsunderrdttelsedomstolen  (a  court  respon¬ 
sible  for  the  judicial  review  of  defense  opera¬ 
tions) 

•  Swedish  Coast  Guard  {Kustbevakningen) 

•  Swedish  Civil  Contingencies  Agency  (Myn- 
dighetenfor  samhdllsskydd  och  beredskap) 

•  Swedish  Defense  Intelligence  (Statens  inspektion 
for  fdrsvarsunderrdttelseverksamheten) 

•  Swedish  Accident  Investigation  Board  (Statens 
haverikommission) 

The  divisions  known  to  be  involved  in  the  cyber  de¬ 
fense  of  Sweden  are  the  Swedish  Armed  Forces,  the 
Swedish  National  Defense  Radio  Establishment  (FRA), 
and  the  Swedish  Defense  Research  Agency  (FOI). 

Under  the  Ministry  of  Justice,  a  sub-department  of 
the  Swedish  Police  (Svenska  Polisen),  the  Sdkerhetspolis 
(Swedish  Security  Service,  or  SAPO)  is  also  involved  in 
cyber  defense  activities.  SAPO  is  generally  concerned 
with  national  security  issues,  such  as  counterterror¬ 
ism,  counterespionage,  protection  of  the  constitution, 
and  protection  of  officials.  However,  according  to  of¬ 
ficial  documents,  the  SAPO  is  also  responsible  for  the 
replacement  and  maintenance  of  security  related  IT 
components  of  the  Swedish  police.  A  specific  example 
given  is  "signal  protection  material"  (Signalskydd- 
matriel),  referring  to  any  component  used  to  protect 
communications. 

The  sub-departments  of  the  Ministry  of  Defense 
may  be  considered  responsible  for  threats  originat¬ 
ing  from  outside  Sweden,  including  military  actions, 
while  the  SAPO  and  its  associated  divisions  exist  to 
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protect  Sweden  against  terrorism,  espionage,  and  vio¬ 
lations  of  the  constitution.  Interaction  between  the  De¬ 
partment  of  Defense  sub-departments  and  the  SAPO 
is  much  stronger  than  in  other  countries  in  Europe, 
which  demand  a  strict  delineation  between  military 
and  civilian  operations. 

Detail. 

FRA. 

Although  it  is  subordinate  to  the  Ministry  of  De¬ 
fense,  the  FRA  is  a  civilian  institution.  It  is  responsible 
for  the  surveillance  of  civilian  and  military  communi¬ 
cation,  as  well  as  the  establishment,  maintenance,  and 
support  of  IT  security  in  governmental  institutions 
and  public  enterprises. 

The  FRA  is  mostly  known  for  its  comprehensive 
monitoring  of  data  communications.  Monitoring 
methods  and  the  Titan  communications  storage  data¬ 
base  are  controversial  issues  within  Sweden.  The  ex¬ 
istence  of  Titan  was  disclosed  in  a  Swedish  television 
report  on  FRA  collection  and  storage  methods  in  June 
2008.“  It  is  not  disclosed  to  what  extent  the  FRA  stores 
communication  content  and  metadata. 

The  FRA  may  monitor  communications  on  orders 
from  the  Swedish  government,  the  Chancellery,  the 
Ministry  of  Defense,  the  Swedish  Criminal  Investiga¬ 
tion  Department  {Rikskriminalpolisen),  or  the  SAPO. 
These  orders  must  be  approved  by  the  Forsvarsunder- 
rdttelsedomstolen,  a  court  responsible  for  the  judicial 
review  of  defense  operations. 

As  a  result  of  adjustments  to  numerous  laws  col¬ 
lectively  referred  to  as  FRA-Lagen,  the  FRA  officially 
is  now  allowed  to  monitor  Swedish  communication 
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links  constantly.  The  data  collected  is  stored  up  to 
12  months  and  may  legally  be  exchanged  with  other 
nations  and  research  institutions. 

Communications  monitoring  assets  available  to 
the  FRA  include  the  HSwMS  Orion  (A201)  SIGINT 
vessel  and  two  Gulfstream  IV  aircraft.  In  2010,  it  was 
announced  that  the  outdated  Orion  would  be  replaced 
by  a  new  warship  by  2015.  The  Swedish  government 
announcement  included  a  statement  that  "...  current¬ 
ly  the  Baltic  Sea  is  safe."®^  Although  the  new  vessel  is 
mentioned  repeatedly  in  the  context  of  observations 
of  the  closer  seas,  this  could  also  imply  that  the  Orion 
is  to  be  substituted  by  a  ship  more  suitable  for  over¬ 
seas  operations  as  well. 

The  annual  FRA  budget  was  intended  to  be  in¬ 
creased  by  almost  5  percent  to  SEK  (Swedish  krona) 
860  million  (approximately  $118  million)  in  2014. 

Military  Intelligence  and  Security  Service. 

The  Militdra  underrdttelse-  och  sdkerhetstjdnsten 
(Military  Intelligence  and  Security  Service,  MUST)  is 
a  division  of  the  Swedish  Armed  Forces  and  cooper¬ 
ates  closely  with  the  FRA,  FOI,  and  others.  However, 
MUST  is  also  known  to  work  with  the  SAPO  on  a  reg¬ 
ular  basis  to  expand  intelligence  and  security  services 
to  civilian  areas. 

MUST  is  an  intensely  security -conscious  organiza¬ 
tion,  to  the  extent  that  (according  to  interviewees)  staff 
names  are  not  available  even  in  internal  documenta¬ 
tion  and  directories,  which  refer  only  to  number  se¬ 
quences  or  aliases.  This  operational  security  measure 
is  intended  to  counter  foreign  recruiting,  blackmail, 
and  observation  actions  targeting  MUST  employees 
due  to  their  knowledge  of  current  operations  and 
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capabilities.  Interviewees  note  the  effect  that  this  has 
on  former  colleagues  with  a  public  profile  disappear¬ 
ing  entirely  from  view  when  joining  a  Swedish  intel¬ 
ligence  agency,  a  process  some  refer  to  as  "going  into 
the  fog."  They  also  highlight  the  exotic  nature  of  a 
process  such  as  this  in  a  country  like  Sweden,  which 
is  sufficiently  open  and  public  that  the  Royal  Family's 
tax  declarations  are  available  online. 

With  reference  to  IT  security,  MUST's  annual  re¬ 
port  states  that  it  has  been  involved  in  the  acquisition, 
setup,  integration,  and  verification  of  technical  com¬ 
ponents.  It  also  notes  that,  since  2013,  it  has  acknowl¬ 
edged  that  technical  components  may  be  manipulated 
and  impose  an  IT  security  risk.  MUST  referred  par¬ 
ticularly  to  doctored  computer  mice  sending  data  to 
external  observers,  manipulated  components  includ¬ 
ing  backdoors  for  attackers,  and  incidents  that  seem 
to  refer  to  unrecognized  transmission  of  data  through 
USB.^5 

As  a  result  of  concerns  like  these,  MUST  veri¬ 
fies  any  technical  equipment  prior  to  its  installation 
within  the  Swedish  Armed  Forces  or  its  other  clients. 
In  2013,  MUST  also  published  an  internal  document 
describing  methods  to  establish  and  maintain  the  se¬ 
curity  and  confidentiality  of  material  in  various  areas, 
including  IT  systems.  Despite  the  document  not  be¬ 
ing  intended  for  external  distribution,  a  version  was 
accessible  through  the  Forsvarsmaktens  file  server.^^ 

IT-Forsvarsverbandet. 

The  IT-F6rsvarsverbandet  (ITF)  is  a  division  of  the 
Swedish  Armed  Forces,  known  to  cooperate  with 
MUST.  The  ITF  focuses  on  IT  threats,  whereas  MUST 
operates  as  both  an  intelligence  and  security  agency 
with  IT  being  just  one  of  the  areas  covered. 


30 


Little  information  has  been  released  on  the  ITF, 
but  a  combination  of  newspaper  reporting  and  the 
organization's  public  job  advertisements  show  that 
the  ITF  employs  an  unknown  number  of  IT  forensic 
specialists  as  well  as  operating  system  developers.®^ 
It  recruits  individuals  capable  of  analyzing  network 
traffic  and  code,  capable  of  exploiting  zero-day  ac¬ 
tions  in  systems,  and  having  a  profound  knowledge 
of  the  execution  of  cyber  attacks.  It  cooperated  with 
the  respected  KTH  forensic  laboratory  in  analysis  of 
the  Flame  virus  detected  in  Stockholm  in  December 
2012,  which  led  to  speculation  on  personnel  transfer 
between  the  two  organizations. 

SAPO. 

SAPO  is  the  nonmilitary  Swedish  Intelligence 
Agency  and  is  under  the  jurisdiction  of  the  Swedish 
Police  National  Board.  It  is  involved  in  protection  of 
IT  infrastructure,  recruiting,  and  employing  experts  to 
install,  maintain,  and  verify  components.  The  SAPO 
may  also  support  MUST  with  investigations.  Inter¬ 
viewees  suggested  that  in  contrast  to  Germany,  Swe¬ 
den  historically  has  "not  been  strict"  with  separation 
of  powers  between  military  and  civil  security. 

FOL 

The  Defense  Research  Agency  (FOI)  engages  in 
research  rather  than  operations,  but  it  benefits  from 
direct  access  both  to  public  and  military  policy  re¬ 
searchers  and  to  technical  experts.  As  a  result,  it  deliv¬ 
ers  some  of  the  most  significant  reports  on  the  IT  se¬ 
curity  situation  in  Sweden.  In  particular,  these  include 
reports  on; 
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•  The  risk  of  social  media  usage  by  employees 
within  the  Swedish  Armed  Forces.*® 

•  The  risk  involved  in  the  handling  of  tasks  need¬ 
ing  varying  levels  of  security  and  confidential¬ 
ity  by  one  user  on  a  single  piece  of  equipment. 
Within  this  report,  the  need  for  development 
of  a  so-called  reactive  network  was  raised.  This 
reactive  network  would  be  capable  of  automat¬ 
ically  adjusting  network  security  policies  to  the 
current  actions  performed  by  the  user.®® 

•  The  risk  associated  with  the  widespread  use 
and  dependency  of  Swedish  infrastructures  on 
wireless  communication.  FOI  discussed  easily 
accessible  jammers  and  their  use  by  criminal 
organizations  to  disrupt  Swedish  investiga¬ 
tion  services,  emergency  response  actions  and 
police  operations.®” 

Summary. 

All  states  experience  a  wide  disparity  between 
the  perception  of  cyber  security  risk  by  the  govern¬ 
ment  and  by  members  of  the  public.  In  Sweden,  this 
gulf  seems  particularly  broad.  Although  the  Swedish 
population  is  well-educated  and  accustomed  to  using 
IT  from  an  early  age,  general  disinterest  in  the  risk  of 
individual  attacks  poses  a  national  threat.  This  disin¬ 
terest  may  be  a  function  of  Swedish  attitudes  to  and 
understanding  of  privacy. 

Privacy  and  breaches  of  privacy  are  terms  often 
dependent  on  the  sociocultural  background  of  the 
user.  In  some  respects,  Sweden  is  an  exceptionally 
open-minded  and  public  society.  Furthermore,  its  citi¬ 
zens  are  generally  prosperous,  which  means  that  the 
prospect  of  minor  financial  losses  is  not  critical.  These 
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two  factors  may  lead  to  the  public  having  a  rather  ca¬ 
sual  interest  in  the  security  of  their  electronic  devices, 
which  lowers  the  acceptability  of  security  measures. 

Sweden  considers  itself  well-protected  against  at¬ 
tacks  originating  from  outside  the  country,  but  Swed¬ 
ish  networks  are  vulnerable  to  internal  attacks.  At  the 
same  time,  the  relaxed  attitude  to  privacy  works  in 
Sweden's  favor  by  providing  a  permissive  environ¬ 
ment  for  government  monitoring  of  communications. 
In  November  2013,  Swedish  Foreign  Minister  Carl 
Bildt  defended  surveillance  practices,  including  coop¬ 
eration  with  foreign  intelligence  partners,  by  saying, 
"We  have  one  of  the  clearest,  most  law-abiding  and 
probably  best  systems  in  this  regard.  I  would  think 
that  other  countries  see  us  as  a  role  model."  Bildt  suc¬ 
cessfully  deflected  criticism,  defending  the  FRA  law 
and  arguing  that  there  was  sufficient  transparency 
and  oversight  of  its  methods.®^ 

Swedish  decisionmakers  recognize  the  risk  posed 
by  individuals  to  Swedish  national  cyber  security, 
thanks  to  high  connectivity  and  widespread  use  and 
dependency  on  IT.  They  are  beginning  to  respond  to 
this  attitude  by  developing  automated  security  tools 
that  operate  without  the  involvement  of  the  user. 

Despite  Sweden  being  one  of  the  most  open  societ¬ 
ies  in  Europe,  military  activities  in  cyber  defense  are 
kept  more  confidential  than  in  any  other  country  sur¬ 
veyed.  This  is  a  reflection  of  a  broader,  and  perhaps 
paradoxical,  acceptance  of  the  role  of  the  military  as 
a  security  provider  and  the  necessary  level  of  secrecy 
this  entails.  Interviewees  felt  that  the  large  areas  of 
Sweden  designated  for  national  security  activities 
that  are  inaccessible  to  the  public  and  only  reached 
through  nonsignposted  private  roads  was  suffi¬ 
ciently  noteworthy  to  be  brought  to  the  interviewer's 
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attention;  in  many  other  countries,  the  existence  of 
closed  military  areas  would  be  entirely  normal  and 
unc  ontr  o  ver  sial . 

This  may  be  a  legacy  from  the  pervasive  nature  of 
Cold  War  preparations  for  total  defense  against  Soviet 
aggression.  One  classic  example  is  the  plan  for  dis¬ 
persed  basing  of  the  Swedish  Air  Force  during  hostili¬ 
ties,  including  the  use  of  roads  as  runways,  which  has 
had  an  enduring  effect  on  the  layout  of  some  sectors 
of  Swedish  highways.  Interviewees  suggested  that  as 
a  result,  major  infrastructure  projects  in  Sweden  must 
receive  approval  from  the  defense  forces  due  to  the 
risk  that  changes  to  transportation,  energy,  or  other 
networks  may  interfere  with  critical  but  undeclared 
capabilities.  This  extends  to  the  cyber  domain:  adap¬ 
tation  of  communications  networks  must  receive  ap¬ 
proval  due  to  the  risk  of  disrupting  sensitive  surveil¬ 
lance,  monitoring,  or  other  capabilities. 

The  combination  of  several  factors  makes  Sweden 
one  of  the  better  protected  countries  within  Europe. 
These  include; 

•  strong  (cyber)  border  surveillance  through  the 
FRA; 

•  one  central  controlling  unit  protecting  Swedish 
network  infrastructure; 

•  the  willingness  of  the  Swedish  public  to  accept 
and  support  data  monitoring;  and 

•  generous  laws  allowing  cutting-edge  govern¬ 
ment  research  on  cyber  attack  methods  and 
system  exploits. 
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CONCLUSION  AND  IMPLICATIONS 
FOR  U.S.  POLICYMAKERS 


Each  nation  reviewed  in  this  Paper  has  developed 
a  distinctive  organizational  structure  it  considers  (at 
present)  the  best  fit  for  providing  for  cyber  defense, 
given  its  own  unique  societal,  political,  and  constitu¬ 
tional  circumstances.  Fundamentally,  however,  the 
cyber  challenges  each  of  these  states  faces  are  very 
similar  to  those  facing  the  United  States.  As  a  result, 
this  review  of  national  approaches  to  organizing  cyber 
defense  shows  national  initiatives  that  may  be  helpful 
when  considered  for  development  in  the  United  States, 
but  it  also  illustrates  some  models  and  constraints  U.S. 
policymakers  would  specifically  wish  to  avoid. 

Estonia. 

Estonia  has  the  key  advantage  of  being  a  small  and 
cohesive  society,  unified  by  a  generally  shared  threat 
perception  and  benefiting  from  advanced  infrastruc¬ 
ture  and  an  impressively  forward-thinking  national 
government  and  president.  This  results  in  Estonia  be¬ 
ing  a  recognized  role  model  within  Europe  and  a  vig¬ 
orous  promoter  of  international  cooperation  on  cyber 
defense  issues. 

Estonia's  wholesale  adoption  of  e-services  and  e- 
government,  while  facilitating  economies  and  growth, 
accepts  risk  of  vulnerabilities.  In  mitigation,  the  coun¬ 
try  explicitly  promotes  civil  integration  in  ensuring 
robust  cyber  defense.  One  interviewee  noted  that: 

Estonia  has  understood  that  cyber  war  cannot  be  re¬ 
sponded  to  through  government  institutions  alone, 
but  must  rather  be  approached  through  the  collabora- 
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tion  of  governmental  institutions,  non-governmental 
organizations  and  private  sector  companies.® 


For  U.S.  policymakers,  Estonia  provides  a  case  study 
of  risk  versus  benefit  involved  in  the  moving  of  gov¬ 
ernment  and  commercial  services  online,  as  well  as 
NATO  becoming  a  proactive  and  forward-leaning 
partner  in  facilitating  collective  cyber  defense. 

Germany. 

Germany  seems  to  promote  an  open-access  policy 
regarding  its  cyber  defense  strategies,  including  re¬ 
leasing  a  surprising  depth  of  technical  detail  on  secu¬ 
rity  standards  in  both  German  and  English.  This  pol¬ 
icy  must  present  a  useful  resource  to  any  adversary 
seeking  to  circumvent  and  subvert  those  standards. 

The  dispersed  nature  of  the  cyber  defense  struc¬ 
ture  has  a  perceived  advantage  in  that  no  central 
institution  presents  an  attractive  single  target  for  at¬ 
tack,  just  as  no  single  exploit  can  compromise  infra¬ 
structure  as  a  whole.  But  at  the  same  time,  despite  the 
copious  public  documentation,  Germany's  federal 
system  and  constitutional  constraints  make  it  difficult 
to  establish  which  agency  is  responsible  for  defend¬ 
ing  against  which  threat;  this  potentially  presents  an 
even  greater  challenge  for  foreign  partners  such  as 
the  United  States,  which  seeks  to  increase  cooperation 
with  Germany. 
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Norway. 

Norway's  response  to  the  challenge  of  cyber  de¬ 
fense  still  appears  to  be  in  active  development.  But  it 
has  already  achieved  an  impressively  compact  and 
simple  organizational  structure,  in  sharp  contrast  to 
Germany. 

The  sense  of  vulnerability  resulting  from  depen¬ 
dencies  on  IT  networks  is  well  developed  —  a  problem 
accented  by  the  aim  of  finding  economies  of  admin¬ 
istration  in  areas  with  very  low  population  densities. 
But  Norway  has  been  proactive  in  communicating  the 
role  of  the  individual  in  national  cyber  security  (and 
overcoming  "national  naivety"),  thereby  limiting  cy¬ 
ber  defense  vulnerabilities  arising  from  internal  net¬ 
works.  This  has  resulted  in  a  public  education  effort 
with  markedly  greater  impact  than  in  Germany  or 
Sweden. 

Sweden. 

Sweden,  too,  expresses  official  concern  at  the  lax 
attitude  of  citizens  to  "cyber  hygiene,"  and  the  result¬ 
ing  potential  for  increasing  vulnerability  to  cyber  at¬ 
tacks  at  the  organizational  or  national  level.  This  is 
in  contrast  to  Sweden's  reportedly  robust  defenses 
against  attacks  originating  outside  Sweden,  thanks  to 
a  long-standing  and  proactive  interest  in  close  con¬ 
trol  and  monitoring  of  international  communications 
traffic  passing  into  and  through  the  country.  In  some 
respects,  Sweden  has  filled  the  role  of  a  regional  cy¬ 
ber  defense  champion.  Past  cooperation  between  the 
FRA  and  U.S.  and  UK  partner  agencies  has  been  high¬ 
lighted  in  media  reporting,  and  Sweden  has  acted  as 
the  de  facto  provider  of  some  aspects  of  cyber  defense 
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for  Finland,  pending  legislative  reforms  intended  to 
allow  Finnish  security  agencies  to  inspect  their  own 
data  traffic.®^ 

Effective  implementation  of  cyber  defense  princi¬ 
ples  is  likely  facilitated  by  the  relative  secrecy  in  which 
they  are  applied,  as  noted  earlier.  In  the  absence  of  the 
formal  supranational  relationship  provided  by  shared 
membership  of  NATO,  this  makes  it  difficult  to  assess 
from  open  sources  the  extent  to  which  effective  coop¬ 
eration  between  Sweden  and  the  United  States  can  be 
further  developed. 

In  short,  each  national  approach  has  its  own  ad¬ 
vantages  and  deficiencies. 

Advantages. 

Germany  provides  clear  national  technical  security 
advice;  Estonia  is  strong  in  developing  and  installing 
technical  solutions  to  ensure  security;  Norway  has  a 
robust  public  education  program;  and  Sweden  has 
invested  heavily  in  protecting  itself  against  external 
threats. 

Deficiencies. 

Germany  suffers  from  a  highly  complicated  feder¬ 
al  system  where  responsibilities  may  overlap  or  leave 
gaps;  Estonia  accepts  a  degree  of  risk  in  its  almost 
universal  move  of  government  services  online;  Nor¬ 
way  is  still  expanding  the  capabilities  of  its  recently 
established  cyber  defense  forces;  and  Sweden  experi¬ 
ences  difficulty  involving  its  public  in  cyber  security 
measures. 
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Each  of  these  provides  a  case  study  against  which 
the  United  States  can  benchmark  and  validate  its  own 
cyber  defense  assumptions. 
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